[pve-devel] [PATCH pve-common v2] inotify: interfaces: also set type 'bridge' for empty bridges

[pve-devel] [PATCH pve-common v2] inotify: interfaces: also set type 'bridge' for empty bridges

[Hannes Laimer]

If a bridge has `bridge_ports` set to `none` we just skip the field.
Later we use the existance of the field to determine whether the type
should be `bridge`. This led to bridges without `bridge_ports` not
being recognized as bridges.

In the `/nodes/{}/network` endpiont we do permission checks for
bridges, and if interfaces were missing the type=bridge field no
permission checks were done. This led to interfaces being returned
even if the user did not have permission to access them.

This fixes this by also setting the type to `bridge` for empty bridges.

Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
as Fabian noted on v1, this probably also makes sense to add to
stable-bookworm

changes since v1, thanks @Fabian:
 - fix problem were `bonds` were also recognized as bridges

 src/PVE/INotify.pm | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/PVE/INotify.pm b/src/PVE/INotify.pm
index bbcb9f8..898b522 100644
--- a/src/PVE/INotify.pm
+++ b/src/PVE/INotify.pm
@@ -994,7 +994,10 @@ SECTION: while (defined($line = <$fh>)) {
                     } elsif ($id eq 'slaves' || $id eq 'bridge_ports') {
                         my $devs = {};
                         foreach my $p (split(/\s+/, $value)) {
-                            next if $p eq 'none';
+                            if ($p eq 'none') {
+                                $d->{'is_empty_bridge'} = $id eq 'bridge_ports';
+                                next;
+                            }
                             $devs->{$p} = 1;
                         }
                         my $str = join(' ', sort keys %{$devs});
@@ -1077,7 +1080,8 @@ OUTER:
 
         my $ip_link = $ip_links->{$altnames->{$iface} // $iface};
 
-        if (defined $d->{'bridge_ports'}) {
+        if (defined $d->{'bridge_ports'} || $d->{'is_empty_bridge'}) {
+            delete $d->{'is_empty_bridge'} if defined $d->{'is_empty_bridge'};
             $d->{type} = 'bridge';
             if (!defined($d->{bridge_stp})) {
                 $d->{bridge_stp} = 'off';
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH pve-common v2] inotify: interfaces: also set type 'bridge' for empty bridges

[Fabian Grünbichler]

On Fri, 08 Aug 2025 11:32:03 +0200, Hannes Laimer wrote:
> If a bridge has `bridge_ports` set to `none` we just skip the field.
> Later we use the existance of the field to determine whether the type
> should be `bridge`. This led to bridges without `bridge_ports` not
> being recognized as bridges.
> 
> In the `/nodes/{}/network` endpiont we do permission checks for
> bridges, and if interfaces were missing the type=bridge field no
> permission checks were done. This led to interfaces being returned
> even if the user did not have permission to access them.
> 
> [...]

Applied, thanks!

Added a small follow-up to make it a bit more explicit/easier to read.

[1/1] inotify: interfaces: also set type 'bridge' for empty bridges
      commit: 1555ab5d76d8675e1f16a197ee744cee33200a21

Best regards,
-- 
Fabian Grünbichler <f.gruenbichler@proxmox.com>


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel